CVE-2025-9232
BaseFortify
Publication date: 2025-09-30
Last updated on: 2025-11-04
Assigner: OpenSSL Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openssl | openssl | 3.5.4 |
| openssl | openssl | 3.0.18 |
| openssl | openssl | 3.2.6 |
| openssl | openssl | 3.3.5 |
| openssl | openssl | 1.1.1zd |
| openssl | openssl | 3.4.3 |
| openssl | openssl | 1.0.2zm |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in OpenSSL is caused by a missing terminating NUL byte after a strncpy() call within the use_proxy() function. Because the string is not properly terminated, it can lead to improper string handling, causing an out-of-bounds read when the 'no_proxy' environment variable is set and the HTTP URL contains an IPv6 address. This out-of-bounds read can cause the application to crash. [1, 2, 3, 4, 5]
How can this vulnerability impact me? :
The vulnerability can cause an out-of-bounds read that triggers a crash in the application using the OpenSSL HTTP client API, leading to a Denial of Service (DoS). However, exploitation requires that an attacker controls the URL passed to OpenSSL and that the 'no_proxy' environment variable is set. The severity is assessed as low because the crash is the only impact and some conditions must be met for exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is triggered when an application using OpenSSL HTTP client API functions has the 'no_proxy' environment variable set and processes an HTTP URL with an IPv6 address in the host portion. Detection would involve checking if the 'no_proxy' environment variable is set and if any application is using a vulnerable OpenSSL version (3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0, or 3.5.0) that uses the HTTP client API. You can check the environment variable with the command `echo $no_proxy` on Unix-like systems. To identify the OpenSSL version, use `openssl version`. Monitoring application crashes or Denial of Service symptoms when processing URLs with IPv6 addresses may also indicate exploitation attempts. However, no specific detection commands or network signatures are provided in the resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating OpenSSL to a fixed version where the missing terminating NUL byte issue in the use_proxy() function has been corrected. The fix has been committed in multiple patches (see commits in Resources 1-5). If updating is not immediately possible, avoid setting the 'no_proxy' environment variable or avoid passing URLs with IPv6 addresses in the host portion to OpenSSL HTTP client API functions. Additionally, monitor applications for crashes related to this issue and restrict attacker-controlled URLs where feasible. [1, 2, 3, 4, 5]